Problem solve Get help with specific problems with your technologies, process and projects.

Remote, branch office VPN access with DSL

Connecting multiple branch or remote offices to the main office can be done easily over DSL with a typical IPsec VPN solution; explore the options, including using a Cisco router.

Connecting branch or remote offices to the VPN using DSL is a solid solution to a secure connection -- it is essentially a typical IPsec remote access VPN solution. Consider the situation using a Cisco 1760: The router will serve as the VPN's gateway, using DSL to obtain access to the Internet. Every remote host that needs to access the main office network will require Cisco VPN client software and some kind of Internet access. The policies on the Cisco 1760 will need to be configured to permit access by those clients, including user credentials to authenticate each client, and IPsec selectors that determine which hosts/subnets each client is permitted to access inside your main office network.

Another option would be to install VPN hardware at every remote office and set up a site-to-site VPN that connects the remote offices to the main office. Each host would not need its own VPN client software or user credentials, because all clients at each remote office would share the tunnels between remote and main VPN gateways. This makes more sense if everyone at each remote office have the same access to the main office network. However, if only a few clients need access, or permission for individual users needs to vary, then a remote access VPN is more appropriate.

For a remote access VPN, NAT Traversal in the Cisco 1760 and VPN Client software will need to let IPsec traffic be forwarded through remote office router/firewalls, no matter what they might be. However, the router/firewall at every remote office must be configured to permit bi-directional traffic on ports used by the VPN.

Each remote office will need to install appropriately-configured Cisco VPN Client software on every remote host, to identify the username/password for each authorized user, and to train users about how and when to launch VPN clients.

On the Cisco 1760, the Extended Authentication (XAUTH) is probably the logical decision and a policy that defines a pre-shared secret used by everyone in that group. Users can be authenticated locally or an ACS server for user authentication can be used.

This question was asked at Ask the Experts on

Lisa Phifer, Contributing expert
About the author: Lisa Phifer is president and co-owner of Core Competence, a consulting firm focused on business use of emerging network and security technologies. At Core Competence, Lisa draws upon her 27 years of network design, implementation and testing experience to provide a range of services, from vulnerability assessment and product evaluation to user education and white paper development. She has advised companies large and small regarding the use of network technologies and security best practices to manage risk and meet business needs. Lisa teaches and writes extensively about a wide range of technologies, from wireless/mobile security and intrusion prevention to virtual private networking and network access control. She is also a site expert to and

This was last published in June 2009

Dig Deeper on Branch office network design